AAA PIX

No, we don't have pictures of auto club members. Rather, this refers to authentication on Cisco PIX firewalls. In this segment from In part 6 of our series of excerpts from the book, Cisco Secure Internet Security Solutions, you will learn how to use commands to Authenticate, Authorize, and Accounting for users.

AAA Commands
You have enabled AAA using Terminal Access Controller Access Control System Plus (TACACS+) on your PIX for authenticating, authorizing, and accounting for users passing from the inside through the outside interface. You have also enabled TACACS+ authentication for those connecting to the PIX through the console.

The first command you need to look at is the aaa-server command. The example sets the
server to TACACS+ on the inside interface with the IP address of 10.1.1.41. You are using
thekey as your TACACS+ key and have set a timeout of 20 seconds. This command is also
responsible for starting AAA on the PIX. The full syntax of the aaa-server command
follows:

aaa-servergroup_tag(interface_name) hostserver_ip keytimeoutseconds

The parameters and keywords, along with their descriptions, are displayed in Table 4-3:

Command

Description

group_tag

TACACS+ or RADIUS.

interface_name

Name of the interface where the server resides.

host

Keyword designating that a single host IP address follows.

server_ip

The IP address of the server.

key

The alphanumeric key expected at the server.

timeout

Keyword designating that the parameter following is the number of seconds.

seconds

The wait time in seconds that the PIX will wait after sending a request without receiving a response before another request is sent. The default time is 5 seconds. Four requests will be sent before timing out.

After starting AAA, you authenticated, authorized, and accounted for any outbound traffic. For a full description of these three processes, see Chapter 10. For the moment, it will suffice to say that when users attempt to send data outside, first they will be checked to ensure that they are who they claim to be, then a check will determine whether they are allowed to send the data outside, and then a record will be made that the users sent the data. You accomplish these three tasks in this example with the following three lines:

The key here is the word outbound, which means packets traversing from the inside interface through the outside interface. The any in these lines refers to the type of accounting service; possible values are any, ftp, http, telnet, or protocol/port. The four zeros refer, in order, to the local address, the local mask, the foreign IP address, and the foreign mask. The final parameter determines which service should be used, RADIUS or
TACACS+. It is possible to run both TACACS+ and RADIUS at the same time. To accomplish this, merely add another aaa-server command with the other service.

The aaa authentication command has another form that allows you to authenticate connections for the serial port, the Telnet ports, and the enable mode. The full syntax of this command follows:

aaa authentication [serial | enable | telnet] console group_tag

outbound and apply Commands
Now that you have seen how AAA can limit outbound access through an interface, there is
another way to control and limit access from a higher security level interface to a lower
security level interface. This method uses PIX access lists configured with the outbound
and apply commands. The first thing to remember about this type of PIX access list is that
it operates in a totally different manner than a router's access list. If you are intimately
familiar with router access lists, you might have a harder time accepting how PIX access
lists work than those who are not so familiar with router access lists. The order of a router's
access list is vitally important, because the first match will cause a rejection or acceptance.
However, the PIX uses a best-fit mechanism for its access lists. This allows the
administrator to deny whole ranges of IP addresses and then allow specific hosts through at
a later date without having to rewrite the whole access list. The PIX access list is also
neither a standard nor an extended access list, but rather a combination of the two forms.

Where a router uses two commands, access-list and access-group (or access-class), to define and apply an access list, the PIX uses the outbound and apply commands to define and apply an access list.

The subnet mask associated with the IP address. Remember that this is a subnet mask, not a wildcard mask as used on routers. Where a router would have a wildcard mask of 0.0.0.255, the PIX would have a subnet mask of 255.255.255.0.

port

The port or range of ports associated with this command.

java

The keyword java is used to indicate port 80. When java is used with a deny, the PIX blocks Java applets from being downloaded from the IP address. By default, the PIX permits Java applets.

protocol

This limits access to one of the following protocols: UDP, TCP, or ICMP. TCP is assumed if no protocol is entered.

Now that you know how the command works, look at the effects of the commands. The first two lines of the configuration regarding access lists read:

The first outbound command denies all packets from the Class C network at 10.1.1.0.
When using the deny and permit forms of the outbound command, you are referring to the destination IP address. You could use the word permit in the example instead of deny, which would allow packets from these IP addresses. The effects of the second line cannot
be fully determined until you look at the apply command. However, you can still see that
an exception to the previous deny command exists. This exception allows packets
associated with the IP address of 10.10.1.51 through the PIX. Here the word associated is
used instead of destination or source because whether you are concerned about the source or the destination IP address is actually determined by the apply command. If the apply command specifies a source IP address, the packets from the source used with the
outbound command are permitted or denied. If the apply command specifies a destination
address, then packets whose destination address matches the IP address used with the
outbound command are denied or permitted.

This is a two-step process that requires the administrator to ask two questions. First, look
at the outbound command. Is this a permit or deny statement? Next, look at the apply
command. Is the apply command concerned with the source or the destination address?

The next two lines are easy to understand. You permit access to the hosts at 10.200.200.66
and 10.200.200.67. At this point, you still do not have a definition as to whether the IP
address associated with the except is a source or destination address. However, the apply command will resolve this outstanding issue. For review purposes, the two lines follow:

The apply statement is used to connect an access list with an interface and to define whether IP addresses specified with that access list are source or destination IP addresses. This example of the apply command follows:

apply (accounting) limit_acctg outgoing_dest

In this example, you applied an access list to the interface previously defined as accounting
by the nameif command. The access list you connected is the one called limit_acctg. As
with a router's access lists, only one access list can be applied in a given direction on any
PIX interface.

This apply command has applied the except command to source packets. The alternative
would be to apply the except command to destination packets by using the outgoing_src
parameter. The application of this command has a distinct effect on the access list. This
effect is that the IP address specified by the except command is a source address.

For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following discussion about the command lines used.

The following line prevents access to all of the 10.200.200.0/24 network from all hosts for
all protocols. The PIX uses subnet masks, not wildcard masks.

outbound limit_acctg deny 10.200.200.0 255.255.255.0

The following line is an exception to the preceding line. Because the apply statement uses
outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply
to the host with the IP address of 10.10.1.51. Because the security level is higher on the
network where this computer sits, this computer has access to the whole of the 10.200.200.0
network.

outbound limit_acctg except 10.10.1.51

The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.

outbound limit_acctg permit 10.200.200.66

The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.

outbound limit_acctg permit 10.200.200.67

The following line applies the access list called limit_acctg to the accounting interface and
makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.

apply (accounting) limit_acctg outgoing_dest

It is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.

For review purposes, look at Figure 4-9. Refer to Figure 4-9 while reviewing the following
discussion about the command lines used.

The following line prevents access to all of the 10.200.200.0/24 network from all hosts for
all protocols. The PIX uses subnet masks, not wildcard masks.

outbound limit_acctg deny 10.200.200.0 255.255.255.0

The following line is an exception to the preceding line. Because the apply statement uses
outgoing_src, the preceding denial of access to the 10.200.200.0 network does not apply
to the host with the IP address of 10.10.1.51. Because the security level is higher on the
network where this computer sits, this computer has access to the whole of the 10.200.200.0
network.

outbound limit_acctg except 10.10.1.51

The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.66.

outbound limit_acctg permit 10.200.200.66

The following line allows all hosts on all networks with a higher security level to have access to the host at 10.200.200.67.

outbound limit_acctg permit 10.200.200.67

The following line applies the access list called limit_acctg to the accounting interface and
makes a definition for the except command, specifying that the IP addresses within the except command refer to a source address.

apply (accounting) limit_acctg outgoing_dest

It is important to remember that the order of the outbound statements is not a concern because the PIX uses a best-fit algorithm.

There are a few things to consider when working with PIX access lists. First, it is recommended that you do not use the access list command with the conduit and outbound commands. Technically, these commands will work together, however, the way these commands interact causes debugging issues. The conduit and outbound commands operate with two interfaces, while the access-list command applies only to a single interface. If you choose to ignore this warning, remember that the access list is checked first. The conduit and outbound commands are checked after the access-list command. Second, the masks used in the PIX access lists and the outbound command are subnet masks, not wildcard masks.

Additional Dual-DMZ Configuration Considerations
Notice that there is a nat 0 command associated with the accounting DMZ. A nat 0 command prevents any NAT or PAT from occurring. How could this be used to your advantage? Assuming that you do not use NAT and you assign nonroutable IP addresses to a DMZ, you can prevent anyone on the Internet from reaching this DMZ while still allowing the local LANs to reach the network. You can also provide additional protection when you are using routable IP addresses through the PIX. Whether or not you choose to use NAT on an interface does not really affect how that interface operates.

--This concludes the configuration of the PIX Firewall, with the exception of VPNs. The
remainder of this chapter covers VPNs, starting with Point-to-Point Tunneling Protocol
(PPTP) and then moving on to IPSec VPNs.